The General Laws, as appearing in the 2022 Official Edition, are hereby amended by inserting after chapter 93L the following chapter:-

Chapter 93M. Biometric Information Privacy Act.

Section 1. Definitions.

As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:

"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency.  Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.

"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

"Commercial Establishment" means a place of entertainment, a retail store, or a food and drink establishment.

"Confidential and sensitive information" means personal information that can be used to uniquely identify an individual or an individual's account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver's license number, or a social security number.

"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.

"Written consent " means informed written consent.

Section 2. Collection, Retention, Destruction, and Disclosure of Biometric Information.

(a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the person from whom biometric information is to be collected or was collected, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 1 year of the individual's last interaction with the private entity, whichever occurs first. Absent a valid order, warrant, or subpoena issued by a court of competent jurisdiction or a local or federal governmental agency, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:

(1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

(2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives written consent executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.  Written consent may be obtained by electronic means.

(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.

(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless:

(1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative provides written consent to the disclosure or redisclosure;

(2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative;

(3) the disclosure or redisclosure is required by state or federal law or municipal ordinance; or

(4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

(e) A private entity in possession of a biometric identifier or biometric information shall:

(1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and

(2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

(f) No commercial establishment shall use a person's or a customer's biometric identifier or biometric information to identify them. 

Section 3. Right of Action.

(a) Any person aggrieved by a violation of this chapter shall have a cause of action pursuant to the procedures set forth in chapter 93A.  Damages pursuant to any said action shall be no less than $5,000 per violation or actual damages suffered, whichever is greater, or up to three but not less than two times such amount if the court finds that the violation was a willful or knowing act.  Damages may also include attorneys’ fees and costs.

(b) The attorney general may bring an action in the name of the commonwealth pursuant to the procedures set forth in chapter 93A upon any violation or suspected violation of this chapter.  Damages pursuant to any said action shall be no less than $5,000 per violation or actual damages suffered, whichever is greater, or up to three but not less than two times such amount if the court finds that the violation was a willful or knowing act.

Section 4. Construction.

(a) Nothing in this chapter shall be construed to impact the admission or discovery of biometric identifiers and biometric information in any action of any kind in any court, or before any tribunal, board, or agency.

(b) Nothing in this chapter shall be construed to conflict with the federal Health Insurance Portability and Accountability Act of 1996 and the rules promulgated under said Act.